The PingDirectory server allows you to sanitize information as it's written to the access log so that you can prevent the system from logging sensitive information.
To learn about the mechanisms to protect information after it has already been logged, see Sanitizing log files.
The PingDirectory server can sanitize log content on a
field-by-field basis for default text-based (name=value
) and
JSON-formatted access logs. You can also use log sanitization for any destination where
these messages are written, such as log files, syslog, standard output, and standard
error messages.
You can control log content for all access logs or on a per-log or per-field basis, including fields generated by third-party extensions. You can also specify a default behavior for all fields of a specified type, such as applying a default sanitization type for all distinguished names (DNs) and search filters.
Configuration elements
There are three main configuration elements for customizing log sanitization:
- Log field syntaxes
- These define the default behavior for each syntax and can specify additional configuration
for these syntaxes (for example, the included/excluded LDAP attributes for
distinguished names (DNs) and filters or fields for JSON objects).
For more information, see Customizing log field syntaxes.
- Log field behaviors
- These can be used to define specific behaviors on a per-field basis and an optional overall
default behavior for fields that are not explicitly configured.
For more information, see Customizing log field behaviors.
- Access loggers
- These can be associated with log field behaviors or can default to the log field syntax configuration.
For more information on the description of the behavior of each log sanitization option, see Log sanitization options.